This week's book giveaway is in the Performance forum.
We're giving away four copies of The Java Performance Companion and have Charlie Hunt, Monica Beckwith, Poonam Parhar, & Bengt Rutisson on-line!
See this thread for details.
Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Downloading attachment without permission

 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using JForum version 2.1.7 it's possible to download attachment from forum which the user has no permission to read/write posts. Of course, if u know the exact URL, something like:
http://jforum/posts/downloadAttach/_postID_.page

I've added those lines to the net.jforum.view.forum.PostAction downloadAttach() method:

Maybe it's not the best way...
[originally posted on jforum.net by ramons]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There's not just the permission sets to read/write, but also to allow download of attachments in the listed forums.

Have you tried to use those atttachment-limitation properties too? I guess those are the ones that may be checked possibly ... though i have to admit I did not yet test it. Takes alot of fantasy to get there ;)

In addition to that we allow download of attachment for any of the ppl that can log on - and only users that have been authed by the SSO implementation ever can log on ^^
[originally posted on jforum.net by Sid]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please create a JIRA issue about this (very easy!) and attach your fix. It's more likely to get fixed if it's in JIRA. Things like this in the forums tend to get lost in all the traffic.

TIA
[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the current CVS source, there is already a patch for this:

You have to modify SytemGlobals.properties or jforum-custom.conf for the following setting:


This will force anonymous user to login first before they can download attachment.
[originally posted on jforum.net by andowson]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sid wrote: Have you tried to use those atttachment-limitation properties too?

I don't really understand what "attachment-limitation properties" mean, I guess u talk about the "Quota limits" in the Admin Panel. I didn't find anything else than size limitation.

andowson wrote:In the current CVS source, there is already a patch for this

As far as I understand that patch just check for the user permission to add attachments and download them, but does it check the permission per forum category? I mean, a user is in a category with those permissions but the topic where the file is doesn't belong to the same category. Will "SecurityRepository.canAccess(SecurityConstants.PERM_ATTACHMENTS_DOWNLOAD)" check the permission for the category of the forum where the topic is? or just if the user has this right?

monroe wrote:Please create a JIRA issue about this (very easy!) and attach your fix

I didn't do it because I thought the code is not well coded, but I'll do it as soon as somebody can tell me if the CVS patch does what I want or not, otherwise is a waste of time for the Jforum developers.

Thanks for ur tips!

Pd: as far as I see there are lots of improvements in Jforum next version, I'm really looking forward for it.
Pd2: does anybody know which version is this jforum?
[originally posted on jforum.net by ramons]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Romons, no i was not speaking of the quota settings. Have a look at the permission sets for users or groups. There you'll find

Attachments
Enable Attachments
Allow download of existing Attachment

Hence you can disable the download for anonymous users, or certain user groups. And you can set, in which forums attachments may be allowed or not.
[originally posted on jforum.net by Sid]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The patch in CVS will force anonymous user to login first before download an attachment file. If this is what you want, then the CVS can be used to do so. But if you want to check the permission after login, JForum doesn't provide this functionality on category.
And currently there is no category level permission for setting usergroup's right. You have to do it on each board.
[originally posted on jforum.net by andowson]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if so, then the update documentation for 2.1.7 to 2.1.8 has a flaw - as it does not describe that there is new necessary parameters, nor is there informations on updating the language files which may be necessary for showing the new setting on the admin panel ... just a guess though ...

If you already put up documentation to upgrading to a version that is not even avaiable officially - please make sure it lacks of no informations ...
[originally posted on jforum.net by Sid]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, but I'm getting mad about this. Now I don't understand if I'm doing something wrong or what I want it's not implemented.
I hope some developer can show me the light. I'm gonna try to explain the situation.

Let's say userA and userB.
userA is in groupA/categoryA and userB in groupB/categoryB.
there's forumA associated to categoryA and forumB to categoryB.
userB post a file to forumB and gives the link to download to userA
In the jforum_roles table I've role 'perm_attachments_download' per forumA-groupA and another one for forumB-groupB.
Eventhough userA can download the file userB has posted.
Is this normal behaviour?
Does SecurityRepository.canAccess(SecurityConstants.PERM_ATTACHMENTS_DOWNLOAD) just check if the user has 'perm_attachments_download' role, doesn't matter which forum for?

I'm sorry I can't explain myself better way.
[originally posted on jforum.net by ramons]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
well I think I've found what I want.
In the CVS code there's:


but I think that the second canAcces call should be done this way:


Please correct me if it's wrong, otherwise I submit it to Jira.
Thanks in advance
[originally posted on jforum.net by ramons]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sid wrote:if so, then the update documentation for 2.1.7 to 2.1.8 has a flaw - as it does not describe that there is new necessary parameters, nor is there informations on updating the language files which may be necessary for showing the new setting on the admin panel ... just a guess though ...

If you already put up documentation to upgrading to a version that is not even avaiable officially - please make sure it lacks of no informations ...


The documentation is not 100% yet, as nor it 2.1.8

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ramons wrote:well I think I've found what I want.
In the CVS code there's:


but I think that the second canAcces call should be done this way:


Please correct me if it's wrong, otherwise I submit it to Jira.
Thanks in advance


Why you think that?

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ops: sorry I mixed it.
I'm gonna try to explain myself.
As far as I understand there are two permissions associated with attachments:
- PERM_ATTACHMENTS_DOWNLOAD and
- PERM_ATTACHMENTS_ENABLED

PERM_ATTACHMENTS_ENABLED role has a value associated which is a forumID. So this role is per forum and group, isn't it?

So why when getting an attachment is not checked the same way? it seems to me that the condition to download the attachment is that the user has PERM_ATTACHMENTS_ENABLED in any forum, not in the one we're trying to download.

Thanks,
Ramon
[originally posted on jforum.net by ramons]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, it makes sense. Please add this to Jira.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, thanks, I'm working on this. The PERM_ATTACHMENTS_DOWNLOAD will also change from Yes / No to "perm-forum" role, just like PERM_ATTACHMENTS_ENABLED.

It does make more sense, right?

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Added to Jira as JF-731
Maybe somebody can improve it because I don't know better way to get the forumID associated to the attachment.

Pleased to help.
--
Ramon
[originally posted on jforum.net by ramons]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, the changes are in the CVS now.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic